All geek questions in one place

Boost, asio, https and host / certificate verification

I am looking at the Boost SSL client . There is a link to OpenSSL in the comments (sorry, no line numbers):

// The verify callback can be used to check whether the certificate that is // being presented is valid for the peer. For example, RFC 2818 describes // the steps involved in doing this for HTTPS. Consult the OpenSSL // documentation for more details. Note that the callback is called once // for each certificate in the certificate chain, starting from the root // certificate authority.

Proper use and validation of OpenSSL can be a daunting task. From experience, I know that for the library to work properly, I must do the following:

  • Disable SSLv2, SSLv3 and compression in the Context object
  • Provide the correct root certificate for chaining and validation
  • Call SSL_get_peer_certificate and verify that the certificate is not NULL
  • Call SSL_get_verify_result and check the result of X509_V_OK
  • Performing a name resolution (CN or SAN must match the requested host)

OpenSSL 1.1.0 will provide name verification, but only in HEAD at this point in time. From the OpenSSL Change Log :

 Integrate hostname, email address and IP address checking with certificate verification. New verify options supporting checking in opensl utility.

and

 New functions to check a hostname email or IP address against a certificate. Add options x509 utility to print results of checks against a certificate.

I do not see where Boost performs any configuration or checks in the client code.

What is the Boost setting and what does it check or verify in its component of the asio library when using SSL?

+6
source share
1 answer

The short answer . The Boost callback function from the link you provided does not check anything. It returns any preliminary verification result provided to it by OpenSSL (via bool preverified ). If any fine-grained verification is required (e.g. CN compliance, etc.), this should be done explicitly by a callback.

Long answer . By the time OpenSSL (or the Boost shell for OpenSSL) calls the validation function, in this case bool verify_certificate(bool preverified, boost::asio::ssl::verify_context& ctx) , a set of preliminary (or mandatory) validation already done by OpenSSL. This is explained in the documentation .

The certificate chain is verified starting from the deepest nesting level (the root CA certificate) and runs up to the peer certificate. At each level, the attributes of signatures and the issuer are checked. Whenever a verification error is detected, the error number is stored in x509_ctx, and verify_callback is called with preverify_ok = 0. Using the X509_CTX_store_ * function, verify_callback can find the corresponding certificate and perform additional steps (see EXAMPLES). If no error was found for the certificate, verify_callback is called with preverify_ok = 1 before moving on to the next level.

The documentation also gives an example of how to write a finer-grained callback. You can draw inspiration from this depending on your needs.

EDIT: To make sure that the Boost internal call function does nothing special except call the application callback function, I looked at engine.ipp , a C ++ module that calls OpenSSL SSL_set_verify to configure callback functions. See how verify_callback_function is implemented. It just calls the application callback.

+5
source

Source: https://habr.com/ru/post/954865/

More articles:


All Articles